VIRUS with new Adobe Flash installer

Hi,

Thank you for posting the screenshot.  It indicates the installer was downloaded from a non-Adobe site (s3.amazon.com, which is Amazon's cloud service).  Unfortunately, you were tricked into downloading an unauthorized installer, which is most likely malicious.  Recommend you run full virus, malware, adware, etc scan of your system.  If you can restore to a point prior to installing that unauthorized Flash Player, I recommend doing that.

--

Maria

Sorry this happened to you.  I'm going to leave some advice here for other folks that may run across this.

Unfortunately, because Flash Player is installed on billions of computers, it's a common target for impersonation for people distributing malware.

As an industry, we've done a pretty good job of defending against technical attacks that allow bad guys to install software without your authorization.  In 2018, it's really difficult to do (assuming you're running a modern operating system and not something from 2005, in which case, you should get on that).

The result is that human factors are now the path of least resistance.  It's easier to trick you into installing something on behalf of the attacker, vs. figuring out how to defeat all of the security stuff required to do it without your express permission.

In general, you're better off setting everything to update automatically.  You can then go through life assuming that any update notifications you get are bogus.  This is actually what we strongly recommend, and it generally applies to anything tasked with handing untrusted communication (the operating system, your web browser, flash player, etc.).  The inconvenience of something functional breaking because of an update pales in comparison to the pain of recovering from identity theft.

Here are a few guidelines that will minimize your risk of getting tricked into installing malware:

- Wherever possible, use your operating system's App Store for downloading and updating software

- When software you want (like Flash Player) isn't available from the App Store for your operating system, always navigate directly to the vendor's website.  If you need to search for the download, that's cool -- but avoid "download" sites, and find the vendor's actual download link

- Never download stuff from a link in an email or update dialog.  Type it in.  It's easy to disguise fake URLs in links using internationalized characters and things (e is not the same as è, but it might be really easy to miss if you're not looking closely).  If it's a link from a URL shortener

service like tinyurl.com/abcde or bit.ly/abcde, you don't know what the end result is going to be, and you're probably wise to just head to Google to find what you need instead.

- When the software offers automatic updates, just turn them on and stop worrying about maintaining all the moving parts running on your computer.  The threat landscape is so much different than it was 10-15 years ago.  Enable updates so that you're getting critical patches as soon as they become available.  Be confident that any subsequent update notifications are probably fake, and act accordingly (either ignore them, or consult the vendor for guidance before doing anything).

For Flash Player specifically:

Always download Flash Player from here:  https://get.adobe.com/flashplayer/

When you install, choose the default option of "Allow Adobe to Install Updates (recommended)", and we'll keep it updated for you.

Google Chrome ships Flash Player as a built-in component, and keeps it updated automatically.  There's nothing separate to download, install or configure.

Microsoft Edge and Internet Explorer on Windows 8 and higher also include Flash Player as a built-in component of their browser, and updates are handled automatically through Windows Update.  Again, as long as Windows Update is enabled, there's nothing to download or configure.

Also, while you've manually cleaned up the stuff that you can see, you installed malware on your machine.  There's a large universe of unknown unknowns, but the malware guys at this point are generally professionals.  They test against the popular antivirus and cleanup tools.  While you've removed the obvious visible signs of the malware infection, you're putting a lot of faith into the tools that you used.  This sort of requires a gut-check on your part about what your risk tolerance and confidence level is.  It also depends on what you do with the computer (health care, banking, etc.).  Good malware is going to first establish a foothold, but the second order of business would be to ensure resilience.  Without an exhaustive (and expensive) forensic analysis, there are no guarantees that you've eradicated everything that was installed.

If it were me, I'd probably back up all of the critical data on the machine and then burn the whole thing down and start from scratch (e.g. format the hard disk, reinstall the operating system and applications from pristine sources, install a reputable antivirus utility, scan my backups and then restore them.  I'd then go buy a password manager like LastPass/OnePass/KeyPass/etc. and set about ensuring that I have unique, strong passwords for each of the important online services that I use (including any email services that could be used to reset those passwords), and set up two-factor authentication wherever it's offered.

I actually cover that in the post above, but in essence, you have three options:

1.) Don't use Flash Player.

Uninstall Flash Player - Windows:

https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html​

Uninstall Flash Player - Mac:

https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

2.) Use a browser that ships Flash Player as a built-in component:

Google Chrome on all supports platforms

Internet Explorer and Edge on Windows 8 and Higher

3.) Always download Flash Player from Adobe's website, and set it to automatically update

You can always download Flash Player from here (make a bookmark for convenience, if you'd like):
https://get.adobe.com/flashplayer

When installing, set it to automatically update.  Consider all other update notifications and dialogs bogus, and ignore them.

The alternative is to always go to https://get.adobe.com/flashplayer to download Flash.

"this was the site suggested by simple search sites."

Not sure what site you are referring to here, however, search engines use various algorithms to display results and don't necessarily display the best result. If you're searching for some specific software to install and the top results are not from the company that produces the software, don't go to those sites to download the software.  Go directly to the company's website and search for it there.  That's the best option for when downloading ANY software.

Be VERY cautious of using search engines to find ANYTHING important. Banks, bill payments, software downloads, even government sites - all of these, used in a search engine, can send you to fake sites that want to steal from you. Use common sense, look very closely at the web addresses and check certificates. If possible, use printed materials to double check.

Hi William,

Thanks for reporting the issue. I would forward the same to the phishing team.

Thanks!

Just for information sake I too downloaded the latest Flash updater from Adobe's homepage today and it had this malware that has been referred to, some Mac cleaning app.  It messed with my browser settings too and was able to fix those. I was able to clear it from my Mac Pro by following some honest tips from online. But I am genuinely surprised how it somehow attached itself. You pros know, I'm a newb. But I am not buying the surprise the Adobe Tech's have shown. I can appreciate the team is working their hardest to stay ahead of these hackers. But this hack seems unprecedented.

If you still have the file that was downloaded, right-click on the file and select 'more info', then post a screenshot of the complete URL from where the file was downloaded from, as the other user did in post 31.

Thank you.

--

Maria

Thanks for providing the information.  I've forwarded it to the fraud team.

In the future, feel free to email phishing@adobe.com directly with the information.

Information on reporting various types of abuse/security issues is provided at Notifying Adobe of Security Issues

How should I proceed with removing it?

Sent from my iPhone

If you ran the installer and it installed unwanted programs on your system then you'd need to remove those, by whichever method is appropriate (e.g. move them to the trash, etc).  Also delete the downloaded file from your system (move to trash & empty trash).

Malware/virus removal assistance is beyond the scope of these forums, and our expertise.

I just had this happen after visiting a restaurant website.  It appears it was downloaded twice? I unknowingly installed a fraud adobe flash player, which seemed to install a booking.com app and an Advanced Mac Cleaner app - although when I check system installations, none of these appear to be listed. They do, however, appear in my applications folder.

.dmg info-->

Apps installed -->

"Player" -->

It also appears to have made changes to browser settings, adding a specific page as startup page for chrome -->

It also changed my default browser to yahoo.

I will send this also to phishing team.  As I understand it's beyond the scope of this forum to address malware scanning, are there any suggestions of where I can go / which professional I can go to to fix this/clear all malware that is not visible?

My post back on June 20th gives a pretty exhaustive explanation of the implications and your options.  Your local computer person is just going to pick their favorite tool(s) and run them.

The problem, at least from my perspective, is that you don't know what you don't know.  Did the tool(s) get everything?  Maybe.  Is that good enough?  It depends on your risk tolerance.

There are basically two options:

• You can spend a bunch of money on tools and/or technicians and hope for the best.  
• You can spend a day wiping and restoring the machine (or if you have backups, restoring to a point in time before you did this).  That's free, and you can be pretty confident that you're in a good state when you're done.

Thanks very much, I just read through your older post which was very helpful.  The only thing I'm unlcear about is this - if I backup all important files/apps etc. from my computer onto an external hard drive, wipe my computer, and then put that data back on, is there any risk that those files are corrupted/infected in any way and still contain the virus?  And would putting them onto an existing external hard drive with other files pose any risks?

In general, malware is going to establish a foothold on the machine, and then do some stuff to stay resilient in the even that you try to get rid of it.  Because malware actually has to *run* to do anything, it makes the most sense to infect things like applications and executable library files. 

It's not impossible that they might attempt to infect data files, but you'd have to put a highly engineered payload in the data that you know would cause the application reading the file to crash in a specific and predictable way, which would in turn allow you to gain control over the processor in a way that would effectively give you administrator rights on the machine.  It's not impossible, but it's really hard, and not typically what you see with commodity malware.

So the point is to back up the data, but not the operating system or the applications, and before you restore the data, you make sure that everything on the machine is fully patched, and that you have a good virus scanner installed and running.  In the event that the data on your machine has a recognizable malicious payload, it should get caught as you copy it back over.

There's some amount of risk that malware could target the attached USB disks (ransomware is known to encrypt both your primary machine and any attached drives), but they're generally not a persistent source of infection.  USB thumb drives tend to be more problematic because malware has been shown to infect the firmware on the actual device, for the purpose of then deploying a malicious payload to every device it's plugged into afterwards (and there's no way to fix it that doesn't involve a hammer).

If you wanted to be extra cautious, you could back up to a cloud storage service (I think Google Drive might even scan for viruses on transfer), or you could put the USB drive on a trusted machine and share it over the network.  On Mac, you can also boot the whole machine into Transfer mode (it basically just turns the machine into a USB hard disk), but you need the right cable to plug it into another machine.

macOS Sierra: Transfer files between two computers using target disk mode 

Long-term, you might think about a good automated backup situation.  Apple offers Time Capsule, which keeps the drive hardware detached from the USB port, and gives you super simple backup and restore capabilities.  If you have a mix of hardware, then things get a little more complicated, but there are a few hybrid cloud/local backup solutions that are reasonably priced and decent.  The cloud storage aspect is good for scenarios like ransomware or a house fire where you end up losing both the machine and your backup disks.  Some of the better ones can even overnight you a hard disk with all your data, so that you're back up and running quickly.

Yesterday I downloaded an Adobe update that I believe was from the Adobe website and I've had symptoms exactly like those outlined in this thread's initial post. I'm getting notifications about some virus scan happening, things like: 456 defects found...click to clean. How do I get this malicious Adobe application and installer off my computer? I'm not a computer wiz and appreciate the help. Thank you.

Unfortunately, it sounds like you downloaded a malicious installer.  Can you check your browser's download history to see where the file was downloaded from?  For example:

• On Chrome, go to chrome://downloads, right-click on the file in question and select 'copy link address'.
• On Firefox, go to about:downloads, right-click on the file in question and select 'Copy Download Link'
• On Safari, click on the download icon to the right of the address field to display the list of downloaded files.  Then right-click on the file in question and select 'Copy Address'

You can private message me the link and I'll send it to our fraud team.  To send a PM, click on my user_name link and then on the 'Message' button link.

Unfortunately, we're not equipped to provide tech support to assist with removing viruses, adware, malware, etc.  You can download a trusted anti-virus/malware/adware program to use or take your system to a trusted technician to remove it for you.

try spyhunter before to wipe out your HD